M636C zardoz blue streak 1 On the lighter side can you figure out how long the derailment took ? Must have been one of the longest time sounds of metal hitting metal. Staying on the lighter side, I'm wondering where the video of the derailment is? Surely someone must have whipped out their phone to record the event. The derailment occured at about 6 AM in an area with no population. The derailment was initiated by reversing a crossover controlled fom 2000 km away. I can't imagine that anyone was sent to the area until the derailment had occurred. Peter
zardoz blue streak 1 On the lighter side can you figure out how long the derailment took ? Must have been one of the longest time sounds of metal hitting metal. Staying on the lighter side, I'm wondering where the video of the derailment is? Surely someone must have whipped out their phone to record the event.
blue streak 1 On the lighter side can you figure out how long the derailment took ? Must have been one of the longest time sounds of metal hitting metal.
Staying on the lighter side, I'm wondering where the video of the derailment is? Surely someone must have whipped out their phone to record the event.
The derailment occured at about 6 AM in an area with no population. The derailment was initiated by reversing a crossover controlled fom 2000 km away. I can't imagine that anyone was sent to the area until the derailment had occurred.
Peter
Does BHP install any cameras on their locomotives?
Greetings from Alberta
-an Articulate Malcontent
BaltACD Do the cars in this service have a 'bleed rod' to be able to handle cars without air? Would activating the bleed rod cause sufficient air movement to trip the train going into a air line initiated emergency brake application?
Do the cars in this service have a 'bleed rod' to be able to handle cars without air?
Would activating the bleed rod cause sufficient air movement to trip the train going into a air line initiated emergency brake application?
Somewhere in the discussion of this wreck, I did read that the cars do have conventional bleed rod controls that a person could pull by hand and it would bleed down the brake cylinder and reservoir as it typically done in order to switch a cut of cars. However, with conventional air brakes, pulling the bleeder rod on a car cannot trigger an emergency application on a cut of cars. I assume that would also be true with ECP brakes.
One question in this case with ECP is whether an emergency application could be made at all by a high volume, quick reduction in brake pipe pressure, as is the case with conventional pneumatic brakes. I would assume that is not possible.
Instead, I assume that an emergency application would have to be made by generating and sending an electronic signal through the ECP system. This would be done with an electronic switch that would send a signal to the ECP control valve on each car, telling the valves to open a connection between the emergency reservoir on each car and the brake cylinder on each car. The electrical power needed to send the signal to each control valve, and to power each control valve to obey the command would come from the battery on each car.
That is how it would be done in normal operation, but I don’t know if it is even possible in the case of the BHP train, after the one-hour clock runs out. After all, the point of that one-hour-later automatic release of the initial service application is to eliminate battery power in order to save battery charge. However, this gets back to the unanswered, fundamental question as to why the loss of battery charge would be so imminent as to require releasing the initial service application in just one hour.
In order to save battery charge, they are disconnecting batteries from any potential use. So they would be disconnected from use in powering the command signals and valve action needed for the emergency application.
My thought was that an engineer out setting brakes and suddenly experiencing the air brakes release and the train starting to move would be thinking of any way possible to stop the runaway because the train would start out slowly, and there might be time for some heroic action. If the engineer was only a few cars back from the engines, he might be able to catch up with them and board them. But if the engineer is many cars back from the engines when the brakes release, the head end would get away before he could catch up with it.
That raises the question of whether an emergency application could have been made from one of the cars. But even if the engineer was at the cab controls, could he have made any sort of brake application that could have stopped the train? It may be that stopping the train by using brakes after the one-hour release was virtually impossible.
That would leave a train heading off to its doom with emergency reservoirs fully charged, and an engineer possibly in the cab, but no way to use the reservoir air to activate the brake cylinders to stop the runaway.
Never too old to have a happy childhood!
After the automatic system executed the release of the “Service” application, I wonder if it was possible for a person to make an emergency application. The emergency reservoirs were charged and the ECP system still had full battery power. If, for example, the engineer were able to re-board the locomotives, would he have been able to make an “Emergency” application and stop the train?
When the train began to roll away, I wonder if the engineer could have gotten back on the locomotives as they rolled by. Maybe it was moving too fast at that point.
I don’t believe this point has been explained. What I have heard is that if an emergency application was not made within an hour after the system-generated service application, the service application would release. Does this then cancel the option to make an emergency application, or not?
Witnessing a derailment in progress is surreal!....Everything you know says things should be stopping - Gravity and momentum shout otherwise and cars keep moving and derailing - in slowing motion until all the kinetic energy of the train has been disapated.
blue streak 1 Euclid I suspect that this BHP wreck holds the world record for the most cars derailed in a derailment. The train was 268 cars long, and I count 26 cars still on the rails at the end of the train. So that is 242 cars derailed and destroyed when the 50,000 ton train was intentionally derailed at about 70 mph. What we see in the video are hopper cars mostly buried in an elongated heap of iron ore with mangled metal car parts visible as they emerge from the pile of ore. In this elongated heap, are the 242 derailed cars apparently tightly jackknifed and accordioned, and mostly buried in the iron ore they carried. That line of wreckage of the 242 ore cars is about the same length as the 26 cars still on the track. On the lighter side can you figure out how long the derailment took ? Must have been one of the longest time sounds of metal hitting metal. And as you said 26 cars stopped on the track so the whole train slowed to zero for 26 cars ?
Euclid I suspect that this BHP wreck holds the world record for the most cars derailed in a derailment. The train was 268 cars long, and I count 26 cars still on the rails at the end of the train. So that is 242 cars derailed and destroyed when the 50,000 ton train was intentionally derailed at about 70 mph. What we see in the video are hopper cars mostly buried in an elongated heap of iron ore with mangled metal car parts visible as they emerge from the pile of ore. In this elongated heap, are the 242 derailed cars apparently tightly jackknifed and accordioned, and mostly buried in the iron ore they carried. That line of wreckage of the 242 ore cars is about the same length as the 26 cars still on the track.
I suspect that this BHP wreck holds the world record for the most cars derailed in a derailment. The train was 268 cars long, and I count 26 cars still on the rails at the end of the train. So that is 242 cars derailed and destroyed when the 50,000 ton train was intentionally derailed at about 70 mph.
What we see in the video are hopper cars mostly buried in an elongated heap of iron ore with mangled metal car parts visible as they emerge from the pile of ore.
In this elongated heap, are the 242 derailed cars apparently tightly jackknifed and accordioned, and mostly buried in the iron ore they carried. That line of wreckage of the 242 ore cars is about the same length as the 26 cars still on the track.
If I am not mistaken, the whole train slowed to zero in about two miles after the derailment.
The time span of the derailment occurring would be hard to determine, but it helps to visualize it. I understand there were four engines and 268 cars. So the train was roughly 2.5 miles long. It was travelling about 70 mph when it was derailed by intentionally running it through a crossover where the sharp curvature of the crossover presumably tipped over the one or more engines. No air brakes were set at the time, and the train may have been descending a grade. In a typical derailment, the first air hose to part causes the brakes to make an “Emergency” application. This adds a lot of retardation to slow the train in addition to the resistance of the derailing cars. This train had no air brake retardation, although, apparently the engineer had set some handbrakes for train securement before the ECP brakes automatically released.
As the engines derailed, they were stopped quickly by digging into the ground and became a relatively fixed obstacle to the following train still entirely on the rails with most brakes released and traveling 70 mph.
The track was straight, so there was no tendency for the train to broadly buckle on a curve. So the oncoming train stopped itself by feeding its cars one by one into a heap. The ore loads must have been lifted by the impacts and created something like a very dense cloud of airborne ore that settled back into the line of wreckage as it progressed rearward with each car that plowed into it.
The derailing cars would have collided with the heap in the classic “accordion” fashion which is a zigzag pattern. As a car collides with the heap obstruction, it deflects and turns sideways to the line of track. If its front turns to the right, its rear is naturally turned to the left by the compressive buff force of the following car. So the cars derail in a continuation of that zigzag pattern. The end result is the derailed cars all stacked together side to side like a pile of cordwood. Although, much of this pileup is likely to be more chaotic than a pure zigzag pattern.
It would be interesting to model this derailment to get a real feel for the enormity of the crash. Approximately 2.25 miles of cars derailed into the pileup. The hind end of the train stopped moving about 2 miles after the derailment began. At its initial speed of 70 mph, that two miles would have taken about 103 seconds. But as the train decelerated during the pileup, the stopping time would have increased. I don’t have an estimate for that deceleration, but very roughly, it seems safe to assume that the train pileup process lasted for at least 2.5 minutes and maybe much longer such as 4 minutes. That is a lot of rumble time.
blue streak 1On the lighter side can you figure out how long the derailment took ? Must have been one of the longest time sounds of metal hitting metal.
blue streak 1Wonder if any of those 26 will have to be scrapped for excessive buff forces ?
The buff forces on the remaining 26 would have been negligable - all those that derailed ahead of them sustained the highest buff forces thus attenuating the forces that the rear 26 had to deal with.
Here is an example of my understanding about how this AAR ECP protocol works:
The train is running okay.
Suddenly a control/power cable becomes disconnected somewhere in the train, so all of the cars behind that break have lost power being transmitted through the power conductor of the control/power cable.
This event causes the ECP brake system to automatically switch from cable- transmitted power to each car, to battery power from a battery on each car.
Immediately after the power switchover, the ECP system generates a brake service application, which stops the train. It makes this service application by using battery power to electronically signal the brake control valve on each car to use battery power to open a valve port that allows air to pass from the pressurized service reservoir on each car into the brake cylinder on each car. Then the brake cylinders mechanically set the brakes on each car.
There are other valve positions associated with releasing the service application.
At this point, is battery power required to maintain these control valve functions in the service application position? I assume that the answer to that is no.
Is battery power required to change the positions of these valve functions in order to release the service application? I assume the answer to that is yes.
Therefore, if the train sat there long enough with the service application holding the brakes set, and the control/power cable remained disconnected, the batteries would lose their charge because they would not be receiving any charge under these conditions. If that happened, there would be no way to release the service application because no battery power would be available to energize the valves that would cause the release. How long might it take for the batteries to lose their charge? A week? A month?
How long is it going to take to fix the disconnected control/power cable on a 50,000 ton train delayed on the mainline? I would assume that the cable repair would take much, much less time than it would take for the batteries to lose hardly any charge. So what is the rush that calls for automatic intervention by releasing the service application after one hour has elapsed? And besides that, if maintaining the service application imposes no load on the batteries, why is there any need to release the service application at all?
Even if maintaining the service application does impose a load on the batteries, and runs them down to the point where their charge is insufficient to release the brakes; what difference does it make? The train is not going anywhere until the cable is repaired, and then the ECP system will be fully energized to enable all functions. The batteries would no longer be needed, and their recharge through the power cable could take as much time as necessary without causing any problems.
My understanding was that the batteries are used in the event the trainline power fails to part of the consist, either through problems on the locomotives or physical separation of part of the cable. The electric valves require power to operate to produce braking should the main power be lost; the batteries get around having to make the ECP valves 'fail safe' with some kind of positive spring return (which would result in immediate emergency braking of part of the consist and possible control issues, no matter how slowly dashpotted the spring closing might be).
I can see why the engineers involved in S-4200 might think it very important to conserve battery power on a train with a patent cable separation; the issue is that they ignored ways to assure positive train securement before going into 'conservation' by releasing the set...
I agree that would be a flawed system, however, it is not clear to me that that is what happens. It is not clear that the critical need for battery power is to keep brakes applied.
However, automatically releasing brakes that are holding a train on a grade seems deadly serious. The reason given of saving battery charge does not seem to justify the risk of releasing the brakes on the grade. So there must be some deadly consequence of losing battery charge that justifies the deadly risk of releasing the brakes. So what is the big deal about losing battery charge?
I will venture that any braking system the relys on battery power to keep the brakes applied is a failed system from the word go.
M636CThe requirement to shut down the cable signal to preserve the batteries is only important if you need to operate the train brakes in Pneumatic mode, since the batteries power the brake valves. BHP operate a system where every train uses ECP braking and every locomotive is ECP equipped. So there should be no need to ever operate a train or set of cars reying on batteries and air pipe pressure reductions.
BHP operate a system where every train uses ECP braking and every locomotive is ECP equipped. So there should be no need to ever operate a train or set of cars reying on batteries and air pipe pressure reductions.
So, as I understand what you are saying, the battery saving feature in the AAR protocol is not necessary for the BHP operation of ECP brakes. I am left with a few other questions:
Does the BHP braking system have batteries on each car, or any form of battery usage? If so, why are batteries needed?
If the BHP braking system did not include the automatic one-hour release feature of the AAR protocol; when the BHP brake system initially applied the brakes to stop the train in reaction to the control/power cable fault, how long could that brake application have held the train? If it eventually failed to hold the train, what would be the possible causes for that?
In cases where ECP uses batteries, if the AAR protocol to preserve battery charge were not included, what would be the consequences of losing battery charge in cases where the charge is not replenished through the ECP control/power cable?
However, when you get down to the final cause - ECP released the brakes and the train ran away.
Shouldn't a ECP trainline initiated brake application also initiate a signal that KEEPS the brakes applied AND disconnects the battery to save it until the ECP trainline is resotred?
The requirement to shut down the cable signal to preserve the batteries is only important if you need to operate the train brakes in Pneumatic mode, since the batteries power the brake valves.
The requirement to save the batteries was placed in the standard by the AAR who quite reasonably assumed that, initially at least, ECP trains would be an exception among conventional trains with Westinghouse brakes. This would be the case with an ECP train in the USA today.
This "all ECP" operation allowed the unexpected possibility of a runaway with the ECP shut down to preserve the batteries occuring as well.
The batteries were not needed since every locomotive could power an ECP train through the cable.
On the national network, however, people predicted a disaster worse than Australia's problem with different gauges with the introduction of ECP braking. This hasn't been the case. Most ECP trains are unit coal trains, with a few aggregate unit trains. At least three unit coal trains have air actuated valves that can be used when ECP equipped locomotives are not available, but these have smaller wagons for use on lighter track. Some cars were introduced with ECP equipment in place but isolated and operated using air actuated valves that were subsequently removed as that operator changed over to all ECP operation.
Paul of CovingtonLook on the bright side--the batteries didn't run down.
Yes, but they lost their charge in the end.
EuclidI suspect that this BHP wreck holds the world record for the most cars derailed in a derailment. The train was 268 cars long, and I count 26 cars still on the rails at the end of the train. So that is 242 cars derailed and destroyed when the 50,000 ton train was intentionally derailed at about 70 mph.
Look on the bright side--the batteries didn't run down.
_____________
"A stranger's just a friend you ain't met yet." --- Dave Gardner
I would not be surprised if nobody in the official body foresaw the possibility of the ECP protocol leading to a disaster such as it did with the BHP train. I suspect there may be a great controversy over how this could have gotten past so many people.
Probably the simplest explanation is this which Peter posted above, which is a safety alert by the Office of the National Rail Safety Regulator (my emphasis in red):
1 Subject
Use of Electronically Controlled Pneumatic braking and Automatic Train Protection systems.
2 Issue
An incident with serious safety concerns occurred following the runaway of a loaded freight train that was utilizing Electronically Controlled Pneumatic (ECP) braking.
The train received a penalty brake application while operating in ECP braking mode as a result of a disconnected electrical connector between two wagons. The train came to a stand on a gradient.
The driver has alighted from the cab to carry out an inspection. After one hour, during the course of applying the handbrakes, the train rolled away down the gradient. The train was run through a crossover in an attempt to purposefully, and successfully, derail it.
Initial enquiries into the incident have revealed a potential safety issue with respect to the effectiveness of the Automatic Train Protection (ATP) systems when configured for ECP braking.
Trains traditionally operate with a mechanical pneumatic braking system and some rolling stock has been fitted with an electronic overlay braking system commonly known as ECP braking.
ECP braking systems that comply with the American Association of Railroads standard AAR S-4200 have a software feature designed to preserve battery life on the ECP fitted wagons by releasing the electronic brakes on a train in circumstances where:
1) An electronic brake is applied by the ECP system
2) There is no communications between the ECP system on board the lead locomotive and the end of train; and
3) Sixty minutes has elapsed from the last communication.
Where these conditions exist the ECP braking system will release creating the risk of a rollaway incident unless the air pressure within the braking system has been released to atmosphere.
It seems, that to avoid a single-point-of-failure, the battery running down, they created another, failure to set the brake independantly.
It also sounds like this anomaly was missed on a systems-level analysis. Why would ATP rely only on ECP if the ECP could be a single-point-of-failure?
I think this is the applicable section of the BHP situation, communcations line disconnetion. On Page 81: (emphisis by me)
5.10.4.2 T/L COM TEST A Trainline Communications Diagnostic Test (T/L COM TEST) should be performed when there is a problem with the trainline communications. This test should be performed in the event that there is a problem, such as ECP EMER - NO EOT – T/L Power Shutdown. If there is a break in the trainline, such as a disconnected inter-car connector, this test will determine the location / vehicle where the break may be. The test may be performed when the locomotive is in ECP lead and RUN, SWITCH or Initialization mode and not moving. The Automatic brake handle must be placed into the full-service position before this test will be performed.
No mention of the brakes being released after a specific interval.
But memorizing 110 pages of somewhat repetitive instructions is something I would not expect an above average engineer to be responsible for, much less the average employee. I'm an Electrical Engineer and I found reading all 110 pages mind numbing. Perhaps with more hands on training, it would make more sense and maybe its my age but to blame an employee for failing to know that the train might release its brakes when I find NO mention anywhere in the 110 page publication is rediculous. I think any lawyer sould be able to defend this. Or have missed a line in the publication?
blue streak 1We believe that it has been stated that the US system retains the triple valve?
I didn't see this before.
This isn't an AAR standards issue; it's a (possibly proprietary by manufacturer) way to implement 'turnkey' ECP operability on a given car already working in interchange service with 1-pipe/triple valve brakes. It puts a separate electronically-actuated manifold and valve arrangement between the triple valve and its mounting, so that the single train line and all the functions work correctly for ECP when the system is 'set' for ECP, but can be run as Westinghouse or easily converted back to run as Westinghouse when needed without removing the ECP components.
It has been a while since I read descriptions of this conversion equipment, so I no longer have current links, but it should not be hard to find them. I do think it is unlikely that the triple on a 'conversion car' would act to set the brakes if this common-mode fault in S-4200 released them in ECP 'mode'...
jeffhergertIf we're going to discuss operation of ECP brakes, maybe we should look at the operator's manual. I haven't looked at completely yet, but here is NYAB's info. www.nyab.com/media/nyab_1/documents_1/technical/instructionpamphletsip/IP-237.pdf Jeff
www.nyab.com/media/nyab_1/documents_1/technical/instructionpamphletsip/IP-237.pdf
Jeff
NYAB Technical Manual5.10.1.10 Low T/L Voltage A. If the trainline power remains off, the % operable brakes will decrease until an alarm or penalty occurs. To make it more visible and attract the driver’s attention, a crew message will display "LOW T/L POWER" whenever the trainline power is turned off. B. This alarm will be provided in either ECP RUN or SWITCH mode. If trainline power is being commanded ON (sections 4.1 & 4.2) and the ECP EOT or Trainline Power Supply determines that trainline power is not active (less than approximately 100 VDC) an alarm message Low T/L Voltage will be displayed, the TL PWR display turns yellow and an audible tone will be given. C. This alarm is an indication that trainline power is very low and may no longer be available. Refer to Section 5.0 to correct this problem. The CCDs will continue to operate normally using their battery power. If the CCDs then cut-out, the ECP braking on that car will release and ECP braking will not be available on that car. When operating in ECP RUN mode, as CCDs cut-out, the percent operable will decrease and a penalty brake will be applied as described in section 5.10.2.5, 5.10.2.6 and 5.10.2.10. When operating in ECP SWITCH mode, the percent operable is not monitored and is therefore unknown.
If we're going to discuss operation of ECP brakes, maybe we should look at the operator's manual. I haven't looked at completely yet, but here is NYAB's info.
Nothing brake related should ever FAIL with movement being a option. Brakes must fail with the braked vehicle being stopped - ALWAYS.
My suggestion to the AAR is to write a few LOC and subroutines that interrogate and activate functions of the vigilance device(s) on the locomotive starting about 5% above critical battery voltage. And set the brakes via the 'penalty' arrangements of the vigilance system if the right response isn't received by the time automatic reset is received.
In essence, if there is no one responding in the cab to handle the impending brake release, the brakes will automatically be applied fully.
A little extra tinkering will give a 'distinctive ring' on the vigilance HMI for this specific function, to distinguish it from train-control concerns. I would be tempted to use synthesized voice clips.
This fixes the issue completely with no further Mickey Mouse FSM mislock opportunities...
Technically, the battery-saving automatic release of air brakes is fine if the operator follows the procedure to prevent the automatic release under circumstances in which that release poses a danger.
But the reasoning behind the automatic release has a fatal flaw because there is a great likelihood that an operator would forget or overlook the fact that a full brake application made for a safety reason would then turn around and cancel itself on its own, with no warning, after a timer runs one hour. With just a tiny bit of common sense, one can see that it is a major accident waiting to happen.
The system should not be made to default to a potentially catastrophic brake release that will automatically execute for the purpose of saving battery charge unless the operator overrides that default action. Instead, the system should default to the safe condition of sustained brake application, and then give the operator the option to override that default action for the purpose of saving battery charge. That is common sense.
Making this automatic response even more dangerous is the fact that it would rarely occur, thus making any practical awareness or anticipation of it unlikely. The process is also counter-intuitive with all train brake practice developed and understood by practical use over decades.
Nobody would naturally expect an advanced brake system that boasts greater safety, to make an autonomous brake application to stop the train for safety reasons; and then a little later, automatically release that brake application; simply because the operator did not make a second manual brake application in order to switch off the sudden release of the first brake application. I doubt than anybody in the committees that developed the procedure thought it through and considered all of the consequences.
The AAR represents an industry that does not use ECP brakes and also opposes the use of them. So why would the pioneering users of ECP brakes in other countries follow the programing and protocols developed by the AAR? Why wouldn’t those pioneers just develop their own programming and procedures, so they know they are reliable?
Our community is FREE to join. To participate you must either login or register for an account.